conf: Options of all plugins documented
Some options are still missing descriptions though.
This commit is contained in:
parent
da8b16a160
commit
828815b0d8
|
@ -8,7 +8,53 @@ options = \
|
|||
options/charon-logging.opt
|
||||
|
||||
plugins = \
|
||||
plugins/test.opt
|
||||
plugins/android_log.opt \
|
||||
plugins/attr.opt \
|
||||
plugins/attr-sql.opt \
|
||||
plugins/certexpire.opt \
|
||||
plugins/coupling.opt \
|
||||
plugins/dhcp.opt \
|
||||
plugins/dnscert.opt \
|
||||
plugins/duplicheck.opt \
|
||||
plugins/eap-aka.opt \
|
||||
plugins/eap-aka-3ggp2.opt \
|
||||
plugins/eap-dynamic.opt \
|
||||
plugins/eap-gtc.opt \
|
||||
plugins/eap-peap.opt \
|
||||
plugins/eap-radius.opt \
|
||||
plugins/eap-sim.opt \
|
||||
plugins/eap-simaka-sql.opt \
|
||||
plugins/eap-tls.opt \
|
||||
plugins/eap-tnc.opt \
|
||||
plugins/eap-ttls.opt \
|
||||
plugins/error-notify.opt \
|
||||
plugins/gcrypt.opt \
|
||||
plugins/ha.opt \
|
||||
plugins/ipseckey.opt \
|
||||
plugins/led.opt \
|
||||
plugins/kernel-klips.opt \
|
||||
plugins/kernel-libipsec.opt \
|
||||
plugins/kernel-netlink.opt \
|
||||
plugins/kernel-pfroute.opt \
|
||||
plugins/load-tester.opt \
|
||||
plugins/lookip.opt \
|
||||
plugins/ntru.opt \
|
||||
plugins/openssl.opt \
|
||||
plugins/pkcs11.opt \
|
||||
plugins/radattr.opt \
|
||||
plugins/random.opt \
|
||||
plugins/resolve.opt \
|
||||
plugins/socket-default.opt \
|
||||
plugins/sql.opt \
|
||||
plugins/stroke.opt \
|
||||
plugins/systime-fix.opt \
|
||||
plugins/tnc-ifmap.opt \
|
||||
plugins/tnc-pdp.opt \
|
||||
plugins/unbound.opt \
|
||||
plugins/updown.opt \
|
||||
plugins/whitelist.opt \
|
||||
plugins/xauth-eap.opt \
|
||||
plugins/xauth-pam.opt
|
||||
|
||||
alloptions = $(options) $(plugins)
|
||||
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
charon.plugins.android_log.loglevel = 1
|
||||
Loglevel for logging to Android specific logger.
|
|
@ -0,0 +1,5 @@
|
|||
charon.plugins.attr-sql.database
|
||||
Database URI for attr-sql plugin used by charon.
|
||||
|
||||
charon.plugins.attr-sql.lease_history = yes
|
||||
Enable logging of SQL IP pool leases.
|
|
@ -0,0 +1,14 @@
|
|||
charon.plugins.attr {}
|
||||
Section to specify arbitrary attributes that are assigned to a peer via
|
||||
configuration payload (CP).
|
||||
|
||||
charon.plugins.attr.<attr>
|
||||
<attr> is an attribute name or an integer, values can be an IP address,
|
||||
subnet or arbitrary value.
|
||||
|
||||
**<attr>** can be either _address_, _netmask_, _dns_, _nbns_, _dhcp_,
|
||||
_subnet_, _split-include_, _split-exclude_ or the numeric identifier of the
|
||||
attribute type. The assigned value can be an IPv4/IPv6 address, a subnet in
|
||||
CIDR notation or an arbitrary value depending on the attribute type. For
|
||||
some attribute types multiple values may be specified as a comma separated
|
||||
list.
|
|
@ -0,0 +1,25 @@
|
|||
charon.plugins.certexpire.csv.cron
|
||||
Cron style string specifying CSV export times.
|
||||
|
||||
charon.plugins.certexpire.csv.empty_string =
|
||||
String to use in empty intermediate CA fields.
|
||||
|
||||
charon.plugins.certexpire.csv.fixed_fields = yes
|
||||
Use a fixed intermediate CA field count.
|
||||
|
||||
charon.plugins.certexpire.csv.force = yes
|
||||
Force export of all trustchains we have a private key for.
|
||||
|
||||
charon.plugins.certexpire.csv.format = %d:%m:%Y
|
||||
**strftime**(3) format string to export expiration dates as.
|
||||
|
||||
charon.plugins.certexpire.csv.local
|
||||
**strftime**(3) format string for the CSV file name to export local
|
||||
certificates to.
|
||||
|
||||
charon.plugins.certexpire.csv.remote
|
||||
**strftime**(3) format string for the CSV file name to export remote
|
||||
certificates to.
|
||||
|
||||
charon.plugins.certexpire.csv.separator = ,
|
||||
CSV field separator.
|
|
@ -0,0 +1,8 @@
|
|||
charon.plugins.coupling.file
|
||||
File to store coupling list to.
|
||||
|
||||
charon.plugins.coupling.hash = sha1
|
||||
Hashing algorithm to fingerprint coupled certificates.
|
||||
|
||||
charon.plugins.coupling.max = 1
|
||||
Maximum number of coupling entries to create.
|
|
@ -0,0 +1,22 @@
|
|||
charon.plugins.dhcp.force_server_address = no
|
||||
Always use the configured server address.
|
||||
|
||||
Always use the configured server address. This might be helpful if the DHCP
|
||||
server runs on the same host as strongSwan, and the DHCP daemon does not
|
||||
listen on the loopback interface. In that case the server cannot be reached
|
||||
via unicast (or even 255.255.255.255) as that would be routed via loopback.
|
||||
Setting this option to yes and configuring the local broadcast address (e.g.
|
||||
192.168.0.255) as server address might work.
|
||||
|
||||
charon.plugins.dhcp.identity_lease = no
|
||||
Derive user-defined MAC address from hash of IKE identity.
|
||||
|
||||
charon.plugins.dhcp.server = 255.255.255.255
|
||||
DHCP server unicast or broadcast IP address.
|
||||
|
||||
charon.plugins.dhcp.interface
|
||||
Interface name the plugin uses for address allocation.
|
||||
|
||||
Interface name the plugin uses for address allocation. The default is to
|
||||
bind to any (0.0.0.0) and let the system decide which way to route the
|
||||
packets to the DHCP server.
|
|
@ -0,0 +1,2 @@
|
|||
charon.plugins.dnscert.enable = no
|
||||
Enable fetching of CERT RRs via DNS.
|
|
@ -0,0 +1,5 @@
|
|||
charon.plugins.duplicheck.enable = yes
|
||||
Enable duplicheck plugin (if loaded).
|
||||
|
||||
charon.plugins.duplicheck.socket = unix://${piddir}/charon.dck
|
||||
Socket provided by the duplicheck plugin.
|
|
@ -0,0 +1 @@
|
|||
charon.plugins.eap-aka-3ggp2.seq_check =
|
|
@ -0,0 +1 @@
|
|||
charon.plugins.eap-aka.request_identity = yes
|
|
@ -0,0 +1,13 @@
|
|||
charon.plugins.eap-dynamic.preferred =
|
||||
The preferred EAP method(s) to be used.
|
||||
|
||||
The preferred EAP method(s) to be used. If it is not given the first
|
||||
registered method will be used initially. If a comma separated list is
|
||||
given the methods are tried in the given order before trying the rest of
|
||||
the registered methods.
|
||||
|
||||
charon.plugins.eap-dynamic.prefer_user = no
|
||||
Prefer peer's proposed EAP methods.
|
||||
|
||||
If enabled the EAP methods proposed in an EAP-Nak message sent by the peer
|
||||
are preferred over the methods registered locally.
|
|
@ -0,0 +1,2 @@
|
|||
charon.plugins.eap-gtc.backend = pam
|
||||
XAuth backend to be used for credential verification.
|
|
@ -0,0 +1,20 @@
|
|||
charon.plugins.eap-peap.fragment_size = 1024
|
||||
Maximum size of an EAP-PEAP packet.
|
||||
|
||||
charon.plugins.eap-peap.max_message_count = 32
|
||||
Maximum number of processed EAP-PEAP packets (0 = no limit).
|
||||
|
||||
charon.plugins.eap-peap.include_length = no
|
||||
Include length in non-fragmented EAP-PEAP packets.
|
||||
|
||||
charon.plugins.eap-peap.phase2_method = mschapv2
|
||||
Phase2 EAP client authentication method.
|
||||
|
||||
charon.plugins.eap-peap.phase2_piggyback = no
|
||||
Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
|
||||
|
||||
charon.plugins.eap-peap.phase2_tnc = no
|
||||
Start phase2 EAP TNC protocol after successful client authentication.
|
||||
|
||||
charon.plugins.eap-peap.request_peer_auth = no
|
||||
Request peer authentication based on a client certificate.
|
|
@ -0,0 +1,103 @@
|
|||
charon.plugins.eap-radius.accounting = no
|
||||
Send RADIUS accounting information to RADIUS servers.
|
||||
|
||||
charon.plugins.eap-radius.accounting_requires_vip = no
|
||||
If enabled, accounting is disabled unless an IKE_SA has at least one
|
||||
virtual IP.
|
||||
|
||||
charon.plugins.eap-radius.class_group = no
|
||||
Use class attributes in RADIUS-Accept messages as group membership
|
||||
information.
|
||||
|
||||
Use the _class_ attribute sent in the RADIUS-Accept message as group
|
||||
membership information that is compared to the groups specified in the
|
||||
**rightgroups** option in **ipsec.conf**(5).
|
||||
|
||||
charon.plugins.eap-radius.close_all_on_timeout = no
|
||||
Closes all IKE_SAs if communication with the RADIUS server times out. If it
|
||||
is not set only the current IKE_SA is closed.
|
||||
|
||||
charon.plugins.eap-radius.dae.enable = no
|
||||
Enables support for the Dynamic Authorization Extension (RFC 5176).
|
||||
|
||||
charon.plugins.eap-radius.dae.listen = 0.0.0.0
|
||||
Address to listen for DAE messages from the RADIUS server.
|
||||
|
||||
charon.plugins.eap-radius.dae.port = 3799
|
||||
Port to listen for DAE requests.
|
||||
|
||||
charon.plugins.eap-radius.dae.secret
|
||||
Shared secret used to verify/sign DAE messages.
|
||||
|
||||
charon.plugins.eap-radius.eap_start = no
|
||||
Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
|
||||
|
||||
charon.plugins.eap-radius.filter_id = no
|
||||
Use filter_id attribute as group membership information.
|
||||
|
||||
If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use
|
||||
the _filter_id_ attribute sent in the RADIUS-Accept message as group
|
||||
membership information that is compared to the groups specified in the
|
||||
**rightgroups** option in **ipsec.conf**(5).
|
||||
|
||||
charon.plugins.eap-radius.forward.ike_to_radius
|
||||
RADIUS attributes to be forwarded from IKEv2 to RADIUS.
|
||||
|
||||
RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
|
||||
name or attribute number, a colon can be used to specify vendor-specific
|
||||
attributes, e.g. Reply-Message, or 11, or 36906:12).
|
||||
|
||||
charon.plugins.eap-radius.forward.radius_to_ike =
|
||||
Same as ike_to_radius but from RADIUS to IKEv2.
|
||||
|
||||
Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to
|
||||
IKEv2, a strongSwan specific private notify (40969) is used to transmit the
|
||||
attributes.
|
||||
|
||||
charon.plugins.eap-radius.id_prefix
|
||||
Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
|
||||
EAP method.
|
||||
|
||||
charon.plugins.eap-radius.nas_identifier = strongSwan
|
||||
NAS-Identifier to include in RADIUS messages.
|
||||
|
||||
charon.plugins.eap-radius.port = 1812
|
||||
Port of RADIUS server (authentication).
|
||||
|
||||
charon.plugins.eap-radius.secret =
|
||||
Shared secret between RADIUS and NAS.
|
||||
|
||||
charon.plugins.eap-radius.server =
|
||||
IP/Hostname of RADIUS server.
|
||||
|
||||
charon.plugins.eap-radius.servers {}
|
||||
Section to specify multiple RADIUS servers.
|
||||
|
||||
Section to specify multiple RADIUS servers. The **nas_identifier**,
|
||||
**secret**, **sockets** and **port** (or **auth_port**) options can be
|
||||
specified for each server. A server's IP/Hostname can be configured using
|
||||
the **address** option. The **acct_port** [1813] option can be used to
|
||||
specify the port used for RADIUS accounting. For each RADIUS server a
|
||||
priority can be specified using the **preference** [0] option.
|
||||
|
||||
charon.plugins.eap-radius.sockets = 1
|
||||
Number of sockets (ports) to use, increase for high load.
|
||||
|
||||
charon.plugins.eap-radius.xauth {}
|
||||
Section to configure multiple XAuth authentication rounds via RADIUS.
|
||||
|
||||
Section to configure multiple XAuth authentication rounds via RADIUS.
|
||||
The subsections define so called authentication profiles with arbitrary
|
||||
names. In each profile section one or more XAuth types can be configured,
|
||||
with an assigned message. For each type a separate XAuth exchange will be
|
||||
initiated and all replies get concatenated into the User-Password attribute,
|
||||
which then gets verified over RADIUS.
|
||||
|
||||
Available XAuth types are **password**, **passcode**, **nextpin**, and
|
||||
**answer**. This type is not relevant to strongSwan or the AAA server, but
|
||||
the client may show a different dialog (along with the configured message).
|
||||
|
||||
To use the configured profiles, they have to be configured in the respective
|
||||
connection in **ipsec.conf**(5) by appending the profile name, separated by
|
||||
a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_
|
||||
or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_.
|
|
@ -0,0 +1 @@
|
|||
charon.plugins.eap-sim.request_identity = yes
|
|
@ -0,0 +1,3 @@
|
|||
charon.plugins.eap-simaka-sql.database =
|
||||
|
||||
charon.plugins.eap-simaka-sql.remove_used = no
|
|
@ -0,0 +1,8 @@
|
|||
charon.plugins.eap-tls.fragment_size = 1024
|
||||
Maximum size of an EAP-TLS packet.
|
||||
|
||||
charon.plugins.eap-tls.max_message_count = 32
|
||||
Maximum number of processed EAP-TLS packets (0 = no limit).
|
||||
|
||||
charon.plugins.eap-tls.include_length = yes
|
||||
Include length in non-fragmented EAP-TLS packets.
|
|
@ -0,0 +1,6 @@
|
|||
charon.plugins.eap-tnc.max_message_count = 10
|
||||
Maximum number of processed EAP-TNC packets (0 = no limit).
|
||||
|
||||
charon.plugins.eap-tnc.protocol = tnccs-1.1
|
||||
IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_,
|
||||
_tnccs-dynamic_).
|
|
@ -0,0 +1,20 @@
|
|||
charon.plugins.eap-ttls.fragment_size = 1024
|
||||
Maximum size of an EAP-TTLS packet.
|
||||
|
||||
charon.plugins.eap-ttls.max_message_count = 32
|
||||
Maximum number of processed EAP-TTLS packets (0 = no limit).
|
||||
|
||||
charon.plugins.eap-ttls.include_length = yes
|
||||
Include length in non-fragmented EAP-TTLS packets.
|
||||
|
||||
charon.plugins.eap-ttls.phase2_method = md5
|
||||
Phase2 EAP client authentication method.
|
||||
|
||||
charon.plugins.eap-ttls.phase2_piggyback = no
|
||||
Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
|
||||
|
||||
charon.plugins.eap-ttls.phase2_tnc = no
|
||||
Start phase2 EAP TNC protocol after successful client authentication.
|
||||
|
||||
charon.plugins.eap-ttls.request_peer_auth = no
|
||||
Request peer authentication based on a client certificate.
|
|
@ -0,0 +1,2 @@
|
|||
charon.plugins.error-notify.socket = unix://${piddir}/charon.enfy
|
||||
Socket provided by the error-notify plugin.
|
|
@ -0,0 +1,2 @@
|
|||
charon.plugins.gcrypt.quick_random = no
|
||||
Use faster random numbers in gcrypt; for testing only, produces weak keys!
|
|
@ -0,0 +1,23 @@
|
|||
charon.plugins.ha.autobalance = 0
|
||||
Interval in seconds to automatically balance handled segments between nodes.
|
||||
Set to 0 to disable.
|
||||
|
||||
charon.plugins.ha.fifo_interface = yes
|
||||
|
||||
charon.plugins.ha.heartbeat_delay = 1000
|
||||
|
||||
charon.plugins.ha.heartbeat_timeout = 2100
|
||||
|
||||
charon.plugins.ha.local =
|
||||
|
||||
charon.plugins.ha.monitor = yes
|
||||
|
||||
charon.plugins.ha.pools =
|
||||
|
||||
charon.plugins.ha.remote =
|
||||
|
||||
charon.plugins.ha.resync = yes
|
||||
|
||||
charon.plugins.ha.secret =
|
||||
|
||||
charon.plugins.ha.segment_count = 1
|
|
@ -0,0 +1,2 @@
|
|||
charon.plugins.ipseckey.enable = no
|
||||
Enable fetching of IPSECKEY RRs via DNS.
|
|
@ -0,0 +1,5 @@
|
|||
charon.plugins.kernel-klips.ipsec_dev_count = 4
|
||||
Number of ipsecN devices.
|
||||
|
||||
charon.plugins.kernel-klips.ipsec_dev_mtu = 0
|
||||
Set MTU of ipsecN device.
|
|
@ -0,0 +1,7 @@
|
|||
charon.plugins.kernel-libipsec.allow_peer_ts = no
|
||||
Allow that the remote traffic selector equals the IKE peer.
|
||||
|
||||
Allow that the remote traffic selector equals the IKE peer. The route
|
||||
installed for such traffic (via TUN device) usually prevents further IKE
|
||||
traffic. The fwmark options for the _kernel-netlink_ and _socket-default_
|
||||
plugins can be used to circumvent that problem.
|
|
@ -0,0 +1,18 @@
|
|||
charon.plugins.kernel-netlink.fwmark =
|
||||
Firewall mark to set on the routing rule that directs traffic to our routing
|
||||
table.
|
||||
|
||||
Firewall mark to set on the routing rule that directs traffic to our routing
|
||||
table. The format is [!]mark[/mask], where the optional exclamation mark
|
||||
inverts the meaning (i.e. the rule only applies to packets that don't match
|
||||
the mark).
|
||||
|
||||
charon.plugins.kernel-netlink.roam_events = yes
|
||||
Whether to trigger roam events when interfaces, addresses or routes change.
|
||||
|
||||
charon.plugins.kernel-netlink.xfrm_acq_expires = 165
|
||||
Lifetime of XFRM acquire state in kernel.
|
||||
|
||||
Lifetime of XFRM acquire state in kernel. The value gets written to
|
||||
/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
|
||||
acquire messages sent.
|
|
@ -0,0 +1,3 @@
|
|||
charon.plugins.kernel-pfroute.vip_wait = 1000
|
||||
Time in ms to wait until virtual IP addresses appear/disappear before
|
||||
failing.
|
|
@ -0,0 +1,3 @@
|
|||
charon.plugins.led.activity_led =
|
||||
|
||||
charon.plugins.led.blink_time = 50
|
|
@ -0,0 +1,4 @@
|
|||
charon.plugins.load-tester {}
|
||||
Section to configure the load-tester plugin, see LOAD TESTS in
|
||||
**strongswan.conf**(5)
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
charon.plugins.lookip.socket = unix://${piddir}/charon.lkp
|
||||
Socket provided by the lookip plugin.
|
|
@ -0,0 +1,8 @@
|
|||
charon.plugins.ntru.max_drbg_requests = 4294967294
|
||||
Number of pseudo-random bit requests from the DRBG before an automatic
|
||||
reseeding occurs.
|
||||
|
||||
charon.plugins.ntru.parameter_set = optimum
|
||||
The following parameter sets are available: **x9_98_speed**,
|
||||
**x9_98_bandwidth**, **x9_98_balance** and **optimum**, the last set not
|
||||
being part of the X9.98 standard but having the best performance.
|
|
@ -0,0 +1,5 @@
|
|||
charon.plugins.openssl.engine_id = pkcs11
|
||||
ENGINE ID to use in the OpenSSL plugin.
|
||||
|
||||
charon.plugins.openssl.fips_mode = 0
|
||||
Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
|
|
@ -0,0 +1,26 @@
|
|||
charon.plugins.pkcs11.modules {}
|
||||
List of available PKCS#11 modules.
|
||||
|
||||
charon.plugins.pkcs11.load_certs = yes
|
||||
Whether to load certificates from tokens.
|
||||
|
||||
charon.plugins.pkcs11.reload_certs = no
|
||||
Reload certificates from all tokens if charon receives a SIGHUP.
|
||||
|
||||
charon.plugins.pkcs11.use_dh = no
|
||||
Whether the PKCS#11 modules should be used for DH and ECDH (see _use_ecc_
|
||||
option).
|
||||
|
||||
charon.plugins.pkcs11.use_ecc = no
|
||||
Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
|
||||
operations. ECDSA private keys can be used regardless of this option.
|
||||
|
||||
charon.plugins.pkcs11.use_hasher = no
|
||||
Whether the PKCS#11 modules should be used to hash data.
|
||||
|
||||
charon.plugins.pkcs11.use_pubkey = no
|
||||
Whether the PKCS#11 modules should be used for public key operations, even
|
||||
for keys not stored on tokens.
|
||||
|
||||
charon.plugins.pkcs11.use_rng = no
|
||||
Whether the PKCS#11 modules should be used as RNG.
|
|
@ -0,0 +1,9 @@
|
|||
charon.plugins.radattr.dir =
|
||||
Directory where RADIUS attributes are stored in client-ID specific files.
|
||||
|
||||
charon.plugins.radattr.message_id = -1
|
||||
Add attributes to all IKE_AUTH messages (-1) or only to the one with the
|
||||
given message ID.
|
||||
|
||||
Attributes are added to all IKE_AUTH messages by default (-1), or only to
|
||||
the IKE_AUTH message with the given IKEv2 message ID.
|
|
@ -0,0 +1,9 @@
|
|||
charon.plugins.random.random = ${random_device}
|
||||
File to read random bytes from.
|
||||
|
||||
charon.plugins.random.urandom = ${urandom_device}
|
||||
File to read pseudo random bytes from.
|
||||
|
||||
charon.plugins.random.strong_equals_true = no
|
||||
If set to yes the RNG_STRONG class reads random bytes from the same source
|
||||
as the RNG_TRUE class.
|
|
@ -0,0 +1,11 @@
|
|||
charon.plugins.resolve.file = /etc/resolv.conf
|
||||
File where to add DNS server entries.
|
||||
|
||||
charon.plugins.resolve.resolvconf.iface_prefix = lo.inet.ipsec.
|
||||
Prefix used for interface names sent to resolvconf(8).
|
||||
|
||||
Prefix used for interface names sent to **resolvconf**(8). The nameserver
|
||||
address is appended to this prefix to make it unique. The result has to be
|
||||
a valid interface name according to the rules defined by resolvconf. Also,
|
||||
it should have a high priority according to the order defined in
|
||||
**interface-order**(5).
|
|
@ -0,0 +1,11 @@
|
|||
charon.plugins.socket-default.fwmark =
|
||||
Firewall mark to set on outbound packets.
|
||||
|
||||
charon.plugins.socket-default.set_source = yes
|
||||
Set source address on outbound packets, if possible.
|
||||
|
||||
charon.plugins.socket-default.use_ipv4 = yes
|
||||
Listen on IPv4, if possible.
|
||||
|
||||
charon.plugins.socket-default.use_ipv6 = yes
|
||||
Listen on IPv6, if possible.
|
|
@ -0,0 +1,5 @@
|
|||
charon.plugins.sql.database =
|
||||
Database URI for charons SQL plugin.
|
||||
|
||||
charon.plugins.sql.loglevel = -1
|
||||
Loglevel for logging to SQL database.
|
|
@ -0,0 +1,15 @@
|
|||
charon.plugins.stroke.ignore_missing_ca_basic_constraint = no
|
||||
Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
|
||||
certificates even if they don't contain a CA basic constraint.
|
||||
|
||||
charon.plugins.stroke.max_concurrent = 4
|
||||
Maximum number of stroke messages handled concurrently.
|
||||
|
||||
charon.plugins.stroke.prevent_loglevel_changes = no
|
||||
If enabled log level changes via stroke socket are not allowed.
|
||||
|
||||
charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
|
||||
Socket provided by the stroke plugin.
|
||||
|
||||
charon.plugins.stroke.timeout = 0
|
||||
Timeout in ms for any stroke command. Use 0 to disable the timeout.
|
|
@ -0,0 +1,12 @@
|
|||
charon.plugins.systime-fix.interval = 0
|
||||
Interval in seconds to check system time for validity. 0 disables the check.
|
||||
|
||||
charon.plugins.systime-fix.reauth = no
|
||||
Whether to use reauth or delete if an invalid cert lifetime is detected.
|
||||
|
||||
charon.plugins.systime-fix.threshold =
|
||||
Threshold date where system time is considered valid. Disabled if not
|
||||
specified.
|
||||
|
||||
charon.plugins.systime-fix.threshold_format = %Y
|
||||
**strptime**(3) format used to parse threshold option.
|
|
@ -1,30 +0,0 @@
|
|||
charon.plugins.test.opt
|
||||
This is a normal option without default
|
||||
|
||||
charon.plugins.test.noncomment := set this
|
||||
This will not be commented out
|
||||
|
||||
charon.plugins.test.def = default
|
||||
Option with default
|
||||
|
||||
charon.plugins.test.sectionnocomment.opt = val
|
||||
The section this is in has no description
|
||||
|
||||
charon.plugins.test.sub {}
|
||||
This section has comments
|
||||
|
||||
charon.plugins.test.sub.opt = option in sub
|
||||
Section option
|
||||
|
||||
charon.plugins.test.<commented> { # }
|
||||
Commented example section
|
||||
|
||||
charon.plugins.test.<commented>.val = value
|
||||
This is commented anyway
|
||||
|
||||
charon.plugins.test.<commented>.assign := value
|
||||
This is commented too because of the commented section
|
||||
|
||||
charon.plugins.test.sub = value
|
||||
Sections can also be options with values
|
||||
Longer description with **bold** and _italic_.
|
|
@ -0,0 +1,20 @@
|
|||
charon.plugins.tnc-ifmap.client_cert =
|
||||
Path to X.509 certificate file of IF-MAP client.
|
||||
|
||||
charon.plugins.tnc-ifmap.client_key =
|
||||
Path to private key file of IF-MAP client.
|
||||
|
||||
charon.plugins.tnc-ifmap.device_name =
|
||||
Unique name of strongSwan server as a PEP and/or PDP device.
|
||||
|
||||
charon.plugins.tnc-ifmap.renew_session_interval = 150
|
||||
Interval in seconds between periodic IF-MAP RenewSession requests.
|
||||
|
||||
charon.plugins.tnc-ifmap.server_uri = https://localhost:8444/imap
|
||||
URI of the form [https://]servername[:port][/path].
|
||||
|
||||
charon.plugins.tnc-ifmap.server_cert =
|
||||
Path to X.509 certificate file of IF-MAP server.
|
||||
|
||||
charon.plugins.tnc-ifmap.username_password =
|
||||
Credentials of IF-MAP client of the form username:password.
|
|
@ -0,0 +1,23 @@
|
|||
charon.plugins.tnc-pdp.pt_tls.enable = yes
|
||||
Enable PT-TLS protocol on the strongSwan PDP.
|
||||
|
||||
charon.plugins.tnc-pdp.pt_tls.port = 271
|
||||
PT-TLS server port the strongSwan PDP is listening on.
|
||||
|
||||
charon.plugins.tnc-pdp.radius.enable = yes
|
||||
Enable RADIUS protocol on the strongSwan PDP.
|
||||
|
||||
charon.plugins.tnc-pdp.radius.method = ttls
|
||||
EAP tunnel method to be used.
|
||||
|
||||
charon.plugins.tnc-pdp.radius.port = 1812
|
||||
RADIUS server port the strongSwan PDP is listening on.
|
||||
|
||||
charon.plugins.tnc-pdp.radius.secret =
|
||||
Shared RADIUS secret between strongSwan PDP and NAS.
|
||||
|
||||
charon.plugins.tnc-pdp.server =
|
||||
Name of the strongSwan PDP as contained in the AAA certificate.
|
||||
|
||||
charon.plugins.tnc-pdp.timeout =
|
||||
Timeout in seconds before closing incomplete connections.
|
|
@ -0,0 +1,17 @@
|
|||
charon.plugins.unbound.resolv_conf = /etc/resolv.conf
|
||||
File to read DNS resolver configuration from.
|
||||
|
||||
charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
|
||||
File to read DNSSEC trust anchors from (usually root zone KSK).
|
||||
|
||||
File to read DNSSEC trust anchors from (usually root zone KSK). The format
|
||||
of the file is the standard DNS Zone file format, anchors can be stored as
|
||||
DS or DNSKEY entries in the file.
|
||||
|
||||
charon.plugins.unbound.dlv_anchors =
|
||||
File to read trusted keys for DLV (DNSSEC Lookaside Validation) from.
|
||||
|
||||
File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It
|
||||
uses the same format as _trust_anchors_. Only one DLV can be configured,
|
||||
which is then used as a root trusted DLV, this means that it is a lookaside
|
||||
for the root.
|
|
@ -0,0 +1,7 @@
|
|||
charon.plugins.updown.dns_handler = no
|
||||
Whether the updown script should handle assigned DNS servers (if enabled
|
||||
they can't be handled by other plugins, like resolve).
|
||||
|
||||
Whether the updown script should handle DNS servers assigned via IKEv1 Mode
|
||||
Config or IKEv2 Config Payloads (if enabled they can't be handled by other
|
||||
plugins, like resolve)
|
|
@ -0,0 +1,6 @@
|
|||
charon.plugins.whitelist.enable = yes
|
||||
Enable loaded whitelist plugin.
|
||||
|
||||
charon.plugins.whitelist.socket = unix://${piddir}/charon.wlst
|
||||
Socket provided by the whitelist plugin.
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
charon.plugins.xauth-eap.backend = radius
|
||||
EAP plugin to be used as backend for XAuth credential verification.
|
|
@ -0,0 +1,9 @@
|
|||
charon.plugins.xauth-pam.pam_service = login
|
||||
PAM service to be used for authentication.
|
||||
|
||||
charon.plugins.xauth-pam.session = no
|
||||
Open/close a PAM session for each active IKE_SA.
|
||||
|
||||
charon.plugins.xauth-pam.trim_email = yes
|
||||
If an email address is received as an XAuth username, trim it to just the
|
||||
username part.
|
Loading…
Reference in New Issue